Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

sunrays

5 Posts

1669

October 2nd, 2004 17:00

Help with my HijackThis log!!!

Hi,

My laptop (Dell Inspiron 2650) is plagued by a few spyware/adware that refuse to go inspite of using spyware guard, spyware blaster and adaware tools. I have an up-to-date Norton antivirus too. I had installed Kazaa which seems to be the root cause for this problem. however i tried to remove it and for some reson the ctrl panel-add/rmv prgs can't seem to remove it due to some errors in dll files. So I decided to run the HijackThis to create a log which I have posted below in the hope that somebody can help me figure out what entries exactly I need to remove. I also have some search toolbars(srch.lop.com) and another blue ad toobar that comes up whenever i open IE. Appreciate your help! Thanx

Logfile of HijackThis v1.98.2
Scan saved at 1:44:38 PM, on 10/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anu\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shviwbgncwawgeptadlgrpt.uk/l7JjPYnHruQX9D9UeAt4OHTNJ_4OPQcyHZQaducaOe3xm2E9YZE_agUS/q2CjrUu.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Ante Okay] C:\PROGRA~1\PUREHO~1\bookadmin.exe
O4 - HKLM\..\Run: [Style Internet Meet Window] C:\Documents and Settings\All Users\Application Data\Logoliesstyleinternet\For The.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://203.199.42.226/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab

 

sunrays

5 Posts

October 2nd, 2004 18:00

Thanx Mike for the fast response. Well, I seem to have run into a common problem that lot of kazaa uninstallers face when they try to uninstall kazaa after running spyware removal. Some suggest reinstalling Kazaa and then uninstalling again. As for the other search toolbars that seem glued to my IE, i'm still waiting to hear more.... lets c... I'll try to fix this kazaa issue and keep u posted. Thanx :)

Midnight Star

4.8K Posts

October 2nd, 2004 18:00

I'm not sure which specific errors your getting for the 'dll(s)', but they may be in use. Have you tried booting in "Safe Mode", then using "Add/Remove programs". If that doesn't work, note the name(s) of the '.dll(s)', GOOGLE them to see if they're a system file or 'garbage' (adware/spyware/etc.,.). If 'garbage', un-register them, then try "Add/Remove programs" again. Just double-check, not to un-register a system file or one your 'legit' sofware uses.

What specific error messages are you getting and what are the '.dll' name(s)?

Mike.

Midnight Star

4.8K Posts

October 2nd, 2004 18:00

I didn't look at it that close, but at a quick glance...

This entry for "Internet Explorer" looks strange. I can't tell the full directory name, but it might be running from a temporary directory.

 c:\progra~1\intern~1\iexplore.exe


This entry is also suspicious:

 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shviwbgncwawgeptadlgrpt.uk/l7JjPYnHruQX9D9UeAt4OHTNJ_4OPQcyHZQaducaOe3xm2E9YZE_agUS/q2CjrUu.html

The entire naming convention defies description! Maybe this is your '.lop' problem.

 

Be sure to get a second opinion on these entries before attempting any 'fix'.

Mike.

 

sunrays

5 Posts

October 2nd, 2004 19:00

I searched and deleted every *kazza* file from my PC, i still see it in the ctrl panel-add/rmv prg list. When i try to rmv kazaa from there, i get the foll. error,

Error in C:\WINDOWS\System32\cd_clint.dll
Missing entry: ServiceRunDll

What should I do? How do I wash Kazaa out completely? Any other input on my HJT log entries....?

jamez kann

2 Intern

 • 

860 Posts

October 2nd, 2004 20:00

If the above fixes fail you would need to run hijackthis
Here are some sites where you can receive help analyzing your HijackThis log from trained experts. Note that the sites require registration before you will be able to post.
 Include your Hijackthis log in the post while explaining your problem at the same time.
http://radiosplace.com/
http://tomcoyote.com/hjt/#copyandpaste


Online Tools Resources
You can find almost everything here :) http://forums.subratam.org/index.php?showtopic=43
http://computercops.biz/downloads-cat-14.html
http://encyclopedia.thefreedictionary.com/Online%20Tools%20Resources
http://www.geekstogo.com/forum/index.php?showtopic=38
http://www.windowsbbs.com/showthread.php?t=31695
http://aumha.org/secure.htm

Kill Spyware Forums
http://forums.subratam.org/index.php?showforum=7
tools needed to get help http://forums.subratam.org/index.php?showtopic=7
Forum Led by: Forum Moderators,subratam,baskar1234(DELL REGULAR),efwis,Metallica,psyne, SpyDie, normmork, Admin,chrisRLG(DELL REGULAR)

http://www.bleepingcomputer.com/forums/forum22.html
Our Tutorials
http://www.bleepingcomputer.com/forums/forum6.html
How to submit a Hijackthis Log
http://www.bleepingcomputer.com/forums/topict956.html
HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware
http://www.bleepingcomputer.com/forums/tutorial42.html

Forum Led by: Moderators, Global Moderator, groovicus,Grinler(DELL REGULAR),harrywaldron,Papakid,


http://forums.net-integration.net/index.php?showforum=32
Forum Led by: Global Moderator, Administrators, Technical Experts, Technical Assistant, Team Spybot S&D, Technical Guide
TonyKlein,Eagle1,Galadriel,tashi,Archon_Wing,
Spybot Search & Destroy 1.X OFFICIAL FORUM
http://forums.net-integration.net/index.php?showforum=28

lavasoftsupport
http://www.lavasoftsupport.com/index.php?showforum=44
Forum Led by: SpyDie, Lavasoft Admins, Moderators
Newbies
http://www.lavasoftsupport.com/index.php?showforum=34


http://forum.gladiator-antivirus.com/index.php?showforum=170
Forum Led by: CalamityJane, LoPhatPhuud, FatsGordon,Hunter,TheSentinel,
Guidelines for Posting in This Forum, READ THIS FIRST PLEASE
http://forum.gladiator-antivirus.com/index.php?showtopic=10517
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index.php?showtopic=9857

 

For immediate help or advice on hijackthis for further solutions before proceeding you could also visit the online experts on the chat
There may or may not be experts in the chat rooms depending on the time you log into those chat rooms

http://chat.skads.org/applet/
http://chat.subratam.org/
http://tech-touch.net/temp/indexold.php
http://www1.spywareinfo.com/chat/#chat
You will get a security warning click yes if you get it. IF you cant log in Press F5 on your keyboard to allow the page to refresh then try and connect also click on joine and in the name type #killspyware
http://www.net-integration.net/chat1.html

sunrays

5 Posts

October 2nd, 2004 20:00

Thanx Jamez & Mike. Will chk on ur suggestions and hope I can clean up my comp.

Midnight Star

4.8K Posts

October 2nd, 2004 20:00

sunrays,

Here's the problem, I think with programatically removing these 'problem' programs, in some cases:

 The 'garbage' makers can change and add additional program(s) and file(s) to their downloads, that AdAware and others aren't aware of. These types of programs will still attempt to remove the 'problems', which results in leaving 'trace' elements behind; they might know just enough to keep it from starting up on your computer.

My first suggestion to everyone who uses AdAware and Spybot, is to first check their "Add/Remove programs" entries and see if it can be removed from there. I had NewDotNet one time when I downloaded a screensaver of a waterfall. When AdAware found it, the first thing I did was to lookup, using GOOGLE, just what it was, and what potential damage it caused; privacy/ security breach, etc.,. When i'd began reading about others who'd used 'spyware' busting programs like AdAware to remove them, they each reported loosing their internet connection; couldn't connect to the internet because, unknown to them, their winsock 'stack' was 'broken'. So I went to NewDotNet's website, as recommended by others less fortunate, and removed it from there, and didn't use a program to do it. If others say it's safe to remove it using AdAware, for example, i'll use it.

I would suggest backing up your registry, creating a manual restore point, then using "regedit" to an "Edit/Find..." and look for all Kazaa entries. Note any file names, when present, then try locating them on your harddrive. But even then, it could be risky.

I'm sorry I don't have more information on Kazaa, I wasn't quite brave enough to download it onto my system ... .

Mike.

 

Chik

453 Posts

October 2nd, 2004 22:00

This program will remove Kazaa components

This program will repair Winsock 2 settings if necessary after removing Kazaa

sunrays

5 Posts

October 4th, 2004 14:00

Thanx Chik, was able to get rid of Kazaa finally! But it still shows up in my ctrl panel-add/rmv prg.

Removed the annoying srch.lop.com adwares using a trial ver of Webroot's Spy Sweeper. It did a great job! I'm slowly moving closer to having a clean clean computer. lets c....

Was this post helpful?

View All

No Events found!

Top